Five US senators have sent a letter to Secretary of State Mike Pompeo requesting answers why the State Department has not widely deployed basic cyber-security protections, such as multi-factor authentication (MFA).

The letter was sent yesterday and was signed by senators Ron Wyden [D-Ore], Cory Gardner [R-Colo], Ed Markey [D-Mass], Rand Paul [R-Ky], and Jeanne Shaheen [D-N.H.].

The letter [PDF] cites two reports. The first is the General Service Administration's assessment of cybersecurity practices. It shows the State Department has only implemented multi-factor authentication for 11% of "high-value devices." When the mandated goal is 100%, this barely reaches the level of "grossly inadequate."

Considering the amount of turnover the agency has had in the past several months, you'd think it would be considerably more concerned with internal security. But it isn't. And, as the letter points out, it's not just stupid. It's also illegal.

According to a 2018 General Service Administration (GSA) assessment of federal cybersecurity, the Department of State had only deployed enhanced access controls across 11% of required agency devices. This despite a law-- The Federal Cybersecurity Enhancement Act -- requiring all Executive Branch agencies to enable MFA for all accounts with "elevated privileges."

Breaking the law. And just generally not doing much whatsoever on the security front.

Similarly, the Department of State's Inspector General (IG) found last year that 33% of diplomatic missions failed to conduct even the most basic cyber threat management practices, like regular reviews and audits. The IG also noted that experts who tested these systems "successfully exploited vulnerabilities in email accounts of Department personnel as well as Department applications and operating systems."

The senators are hoping the State Department will have answers to a handful of cybersecurity-related questions by October 12th, but given the agency's progress to compliance with a law that's been on the book for two years at this point, I wouldn't expect responses to be delivered in a timelier fashion.

The agency's track record on security isn't great and these recent developments only further cement its reputation as a government ripe for exploitation. The agency's asset-tracking program only tracks Windows devices, its employees are routinely careless with their handling of classified info, and, lest we forget, its former boss ran her own email server, rather than use the agency's. Of course, given this long list of security failures, there's a good possibility an off-site server had more baked-in security than the agency's homebrew.

from the um,-guys? dept

For all the talk of "fake news" going around these days, you'd think that the federal government would avoid creating more of its own on purpose. And you'd think that the MPAA and RIAA would know better than to join in on such a project. However, the following email was sent to some folks at Stanford Law School asking the law school to join in this fake news project promoting intellectual property via a fake Twitter feud:

Good Morning! My name is H------, and I am reaching out to you from the State Department’s Bureau of Economic Affairs. I gave you call a little earlier this morning, but I thought I would follow up with an email as well.

Currently, I am working on a social media project with the Office of Intellectual Property Enforcement. This summer, we want to activate an audience of young professionals- the kind of folks who are interested in foreign policy, but who aren’t aware that intellectual property protection touches every part of their lives. I think the law school students at your institution may be the type of community that we would like to engage. Additionally, we know that your law school is ranked among the top schools in Intellectual Property law, and thus our campaign may not only be fun, but relevant for you all as well.

So a little bit of a recap from the message that I left you this morning. The Bureau of Economic and Business Affairs wants to start a fake Twitter feud. For this feud, we would like to invite you and other similar academic institutions to participate and throw in your own ideas!

The week after the 4th of July, when everyone gets back from vacation but will still feel patriotic and summery, we want to tweet an audacious statement like, “Bet you couldn’t see the Independence Day fireworks without bifocals; first American diplomat Ben Franklin invented them #bestIPmoment @StateDept” Our public diplomacy office is still settling on a hashtag and a specific moment that will be unique to the State Department, but then we invite you to respond with your own #MostAmericanIP, or #BestIPMoment. Perhaps it will an alumni defending intellectual property in the courts or an article that your institution has produced regarding this topic.

Some characters from the IP community here in DC have agreed to participate with their own tweets: US Patent and Trademark Office, the Copyright Alliance, the Motion Picture Association of America, the Copyright Office, and the Recording Industry Association of America. We hope to diversify this crowd with academic institutions, sports affiliations, trade associations, and others!

Please give me a call or email me with any questions, comments, or concerns. I look forward to hearing from you soon!

Sincerely,
H--------
Official
UNCLASSIFIED

So, let's break this down. This is literally the State Department, working with the IP Enforcement Coordinator (normally called the "IP Czar") to team up with the MPAA, RIAA and Copyright Alliance (a front group for the RIAA and MPAA), along with the Patent & Trademark Office and the Copyright Office to create a fake Twitter feud over who likes copyright and patents more.

Everything about this is crazy. First, the State Dept. should not be creating fake news or fake Twitter feuds. Second, even if it were to do so, it seems to have picked one side of the debate, arguing that greater copyright and patent enforcement is obviously a good thing (how far we've come from the time when it was the State Department that fought back against SOPA and told the White House not to support it).

Separate from that, why are the MPAA, the RIAA and the Copyright Alliance agreeing to team up with the US government to create fake stories? That seems... really, really wrong. I get that they are obsessed with always pushing a misleading and one-sided message on copyright law, but creating out and out propaganda with the US government?

Also, even if the geniuses at IPEC -- an office that was set up in 2008 under another anti-piracy copyright law -- falsely believe it's their job to push Hollywood's message out to the world, how could they possibly have thought it was a bright idea to engage in outright propaganda using Twitter... and to try to enlist law school professors and students in these shenanigans?

I've put out a request for comment from the State Department's Bureau of Economic Affairs, and will update this post if I hear back.

from the confirming-unofficial-statements-from-US-officials dept

Prosecutors seeking to justify a lengthy sentence (and the abuses that had already occurred) in the Chelsea Manning case insisted the documents she leaked had caused serious damage to those exposed by them. They said this even as multiple government officials admitted the most the United States had suffered was some embarrassment.

Regarding the hundreds of thousands of Iraq-related military documents and State Department cables provided by the Army private Chelsea Manning, the report assessed “with high confidence that disclosure of the Iraq data set will have no direct personal impact on current and former U.S. leadership in Iraq.”

This doesn't necessarily mean no damage was done. But the report confirms the United States didn't suffer from the Manning leaks.

The report also determined that a different set of documents that was published the same year, relating to the U.S. war in Afghanistan, would not result in “significant impact” to U.S. operations. It did, however, have the potential to cause “serious damage” to “intelligence sources, informants and the Afghan population” and U.S and NATO intelligence collection efforts.

The report [PDF] also notes investigators located the encrypted Wikileaks "insurance" file -- one Julian Assange says he'll release the key to if he feels his ability to disseminate information is threatened. (Stay tuned!) The assessment concludes it's unlikely this file contains anything damaging either.

Based on public statements by Assange, the IRTF assesses with moderate confidence that the "Insurance File" does not contain any USG data beyond what the IRTF has already reviewed.

The document dates back to 2011. It may have been some use in Manning's defense during the trial (a defense severely limited by the nature of espionage proceedings). As Leopold notes, Manning was not allowed to view this report. Instead, she was forced to fight the charges blind while prosecutors cherry-picked portions of the report to bolster their arguments.

Not that any of this matters at this point. The damage has already been done to Manning's life. And Manning's prosecution likely serves as a low-key chilling effect to dissuade potential leakers and whistleblowers from publicly humiliating the US government. But it does show the government is willing to use evidence that doesn't actually exist to secure a conviction.

from the nation-is-too-damn-insecure dept

It looks as though the Supreme Court may have to step in and settle a particularly thorny question involving the First Amendment, Second Amendment, national security interests, and 3D-printed weapons. Cody Wilson and his company, Defense Distributed, sued the State Department over its demands he cease distributing instructions for the creation of weapons and weapons parts.

The State Department came along too late to make much of a difference. It claimed Wilson's instructions violated international arms distribution laws, but by the time it noticed what Defense Distributed was doing, the instructions were all over the web. They still are, and no amount of litigation or government orders is going to change that.

What Defense Distributed is doing is perfectly legal in the United States. The State Department says it's illegal to put these instructions in the hands of foreign enemies. Since it can't control internet traffic, it's decided to take down the publisher.

That's the First Amendment implication, which can't really be separated from Second Amendment concerns considering the legality of distributing these instructions domestically. Last September, the Fifth Circuit Appeals Court found [PDF] in favor of the government and its national security concerns.

Because both public interests asserted here are strong, we find it most helpful to focus on the balance of harm requirement, which looks to the relative harm to both parties if the injunction is granted or denied. If we affirm the district court’s denial, but Plaintiffs-Appellants eventually prove they are entitled to a permanent injunction, their constitutional rights will have been violated in the meantime, but only temporarily. Plaintiffs-Appellants argue that this result is absurd because the Published Files are already available through third party websites such as the Pirate Bay, but granting the preliminary injunction sought by Plaintiffs-Appellants would allow them to share online not only the Published Files but also any new, previously unpublished files. That leads us to the other side of the balance of harm inquiry.

If we reverse the district court’s denial and instead grant the preliminary injunction, Plaintiffs-Appellants would legally be permitted to post on the internet as many 3D printing and CNC milling files as they wish, including the Ghost Gunner CNC milling files for producing AR-15 lower receivers and additional 3D-printed weapons and weapon parts. Even if Plaintiffs-Appellants eventually fail to obtain a permanent injunction, the files posted in the interim would remain online essentially forever, hosted by foreign websites such as the Pirate Bay and freely available worldwide. That is not a far-fetched hypothetical: the initial Published Files are still available on such sites, and Plaintiffs-Appellants have indicated they will share additional, previously unreleased files as soon as they are permitted to do so. Because those files would never go away, a preliminary injunction would function, in effect, as a permanent injunction as to all files released in the interim. Thus, the national defense and national security interest would be harmed forever. The fact that national security might be permanently harmed while Plaintiffs-Appellants’ constitutional rights might be temporarily harmed strongly supports our conclusion that the district court did not abuse its discretion in weighing the balance in favor of national defense and national security.

A lengthy dissent challenged the First Amendment implications of this decision, which brought prior restraint into play by forbidding Defense Distributed from posting new instructions, along with further distribution of plans it had already released. But the majority didn't find much it liked in the dissent -- at least not when weighing it against the government's national security interests.

The dissent argues that we “should have held that the domestic internet publication” of the technical data at issue presents no “immediate danger to national security, especially in light of the fact that many of these files are now widely available over the Internet and that the world is awash with small arms.” We note the following:

(1) If Plaintiffs-Appellants’ publication on the Internet were truly domestic, i.e., limited to United States citizens, there is no question that it would be legal. The question presented in this case is whether Plaintiffs-Appellants may place such files on the Internet for unrestricted worldwide download.

(2) This case does not concern only the files that Plaintiffs-Appellants previously made available online. Plaintiffs-Appellants have indicated their intent to make many more files available for download as soon as they are legally allowed to do so. Thus, the bulk of the potential harm has not yet been done but could be if Plaintiffs-Appellants obtain a preliminary injunction that is later determined to have been erroneously granted.

(3) The world may be “awash with small arms,” but it is not yet awash with the ability to make untraceable firearms anywhere with virtually no technical skill. For these reasons and the ones we set out above, we remain convinced that the potential permanent harm to the State Department’s strong national security interest outweighs the potential temporary harm to Plaintiffs-Appellants’ strong First Amendment interest.

The majority also pointed out the government can violate the First Amendment in the interest of national security, and that this court in particular seemed inclined to let it.

Defense Distributed asked for an en banc rehearing. That has been denied [PDF]. This denial gives the dissent the chance to lead off (so to speak), and the first thing it does is point out the obvious First Amendment violations.

The panel opinion’s flawed preliminary injunction analysis permits perhaps the most egregious deprivation of First Amendment rights possible: a content-based prior restraint. [...] First, the panel opinion fails to review the likelihood of success on the merits—which ten of our sister circuits agree is an essential inquiry in a First Amendment preliminary injunction case. Second, the panel opinion accepts that a mere assertion of a national security interest is a sufficient justification for a prior restraint on speech. Third, the panel opinion conducts a fundamentally flawed analysis of irreparable harm.

As the dissent points out, the majority chose to deploy prior restraint based on little more than the government's vague claims of insecurity.

The Government contends that the gun designs at issue could potentially threaten national security. However, this speculation falls far short of the required showing under Bernard and Nebraska Press, showing neither the immediacy of the danger nor the necessity of the prior restraint. Allowing such a paltry assertion of national security interests to justify a grave deprivation of First Amendment rights treats the words “national security” as a magic spell, the mere invocation of which makes free speech instantly disappear.

But this is exactly what the government does: make rights disappear with its "magic spell." And the courts continue to let it do this. In this case alone, the invocation of "national security" resulted in three consecutive decisions (district court and twice at the appeals court) in favor of prior restraint.

If the Supreme Court decides to review this, there's little in its track record suggesting it will do otherwise. But there's zero chance the government will let this go unregulated, even if the Supreme Court grants Defense Distributed a permanent injunction against the State Department. The government needs to have this threat of prosecution to hang over the head of Defense Distributed, as well as others with similar interests.

If this appears to operate in an area existing legislation can't touch, additional legislation will be introduced to address it. That may result in the government pressing ISPs into service to regulate internet traffic -- spying on users to catch them in the act of distributing illegal gun manufacturing plans. We'll have a Border Patrol but for the internet, maintained by private companies but overseen by the government.

It's not that there aren't potentially-serious repercussions from the distribution of 3D-printed gun plans. There's lots to be concerned about, but the concerns aren't new ones. Untraceable guns end up in the hands of people who aren't supposed to have them all the time. Printing one at home isn't a feasible reality for most people, especially those whose income and expertise are limited, which is most of the world.

Rights aren't sold separately. They're a bundle. The multiple opinions in this case have mostly ignored the Second Amendment implications in favor of examining the First. But those should be considered as well. If it's legal to manufacture these parts in the US, the State Department's order overreaches. Its concerns about worldwide distribution may be valid, but it's impossible to prevent this distribution without preventing Americans from doing something their government has told them it's ok to do.

from the grilled-leaks dept

The phone calls are coming from inside the house, it seems. The newly minted Trump government has suffered under one of the most porous climates in recent Presidential memory, with leaks leaking to the press from seemingly everywhere. This is happening for several reasons, which include enabling technology for such leaks to occur, the controversial nature of our current President and some of his actions, and the fact that, whatever else one might want to say about President Trump, his administration is certainly active, meaning there is much more about which to leak. This has led to Trump, along with members of his team, making strange noises about a crackdown of these leaks. The threats incorporated in this crackdown have included FBI investigations (where many of the leaks have come from), random phone checks by the communications staff with Sean Spicer playing Angry Dad, and the promise of the purging of any longstanding government staffers suspected of leaking information to the press.

And, yet, the leaks persist. And they often persist in laughable ways. We already had Spicer's phone-check and leak-plugging emergency meeting with his staff leak to the press. Now the Washington Post has an article all about the State Department's memo that warned State staff against leaking anything to the press.

The State Department legal office prepared a four-page memo for Secretary of State Rex Tillerson warning of the dangers of leaking by State Department employees. It promptly leaked, to me. That’s only the latest sign that the relationship between the Trump administration political appointees and the State Department professional workforce is still very much a work in progress.

The Feb. 20 memo by State Department acting legal adviser Richard Visek to Tillerson is entitled “SBU: Protecting Privileged Information.” The SBU stands for Sensitive But Unclassified, a designation used on documents that are not technically secret but also not supposed to be shared. The memo itself is marked SBU and begins with detailed explanation of how and when Tillerson has the privilege of protecting certain types of information from public disclosure, such as anything that has to do with internal State Department deliberations. But the bulk of the memo is devoted to arguments for clamping down on unauthorized disclosures of sensitive information, also known as leaking.

One can only hope that whoever leaked the memo to the Washington Post chuckled to themselves as they did so -- so tasty the irony was. Look, it's understandable why a White House or government would be irritated by press leaks. But trying to wage some kind of war against them is only going to result in the administration looking very, very foolish, as it does in this story. Leaks have always been a thing in government. They always will be. Trump can shake his fist angrily at the clouds all he wants, but the rain will still come. Even Tillerson's admittedly tightened grip over the State Department isn't going to help.

Several State Department officials told me that they see evidence of an effort by Tillerson to stymie leaking is already underway. For example, detailed readouts of Tillerson’s meetings with foreign officials are no longer distributed widely inside the building, leaving officials in relevant bureaus unsure exactly what transpired. Another official told me Tillerson has shortened the list of officials allowed inside the daily 9:15 a.m. senior staff meeting, which has previously served as a key channel through which various State Department offices and bureaus learn about the day’s agenda and get direction from the secretary’s office. A third State Department official told me he was instructed to make requests for policy information and guidance over the phone or in person, rather than commit any policy discussions to an email that might be leaked.

Making government less efficient in the interest of plugging leaks works against good government operations and obviously isn't solving the problem.

And, like so many things Trump, there's no consistency in his anger on the topic. Trump was perfectly happy to discuss leaks from the DNC while on the campaign trail. In addition to that, members of both his campaign team and his administration are known to regularly leak information to the press for the purposes of steering media discussion in the President's favor. As with so many things, it's fine if Team Trump does it, but not anyone else.

Regardless, it sure will be fun to watch the White House attempt to keep press leaks from being a thing. After all, if you can't even keep the memos about not leaking from leaking, the really good stuff is almost sure to come out.

from the silent-killer dept

Those defending bulk domestic surveillance have dismissively referred to the take as "just metadata." To many people, this likely seems acceptable. It's nothing but call records... or so it often seems. But "just metadata" is actually surveillance state slang for almost anything that can be obtained without a warrant or subpoena -- which includes anything the government considers to be a "third party record," like financial transactions and historical cell site location data.

"Just metadata" is actually a dangerous thing when left in the hands of intelligence agencies. It's what turned State Department advisor Robin Raphel's diplomatic work with Pakistani officials into a severely misguided -- and severely intrusive -- espionage investigation. A series of blundering investigations into people who had done nothing wrong resulted in the DOJ changing its investigative guidelines, but not before Raphel's house was raided (twice) by the FBI and her reputation severely damaged.

In February 2013, according to law-enforcement officials, the FBI received information that made its agents think Raphel might be a Pakistani mole.

The tip came in the form of intercepted communications that suggested Raphel had shared sensitive inside information without authorization. Two officials said this included information collected on wiretaps of Pakistani officials in the U.S.

[...]

Investigators began what they call “circling the target,” which means examining the parts of Raphel’s life they could explore without subpoenas or warrants.

[...]

One of the first things they looked at was her “metadata”—the electronic traces of who she called or emailed, and also when and for how long. Her metadata showed she was in frequent contact with a host of Pakistan officials that didn’t seem to match what the FBI believed was her rank and role.

The reason Raphel worked outside of her "rank and role" was because staying within the system meant dealing only with Pakistani officials who would be unable or unwilling to part with useful information. Raphel had plenty of experience in dealing with Pakistan's often-volatile relationship with the US -- something that had been strained even further by President George W. Bush's anti-nuke sanctions and President Obama's increasing reliance on drone strikes, including one that mistakenly killed 24 Pakistani troops, rather than the target the US was seeking.

Raphel may have operated outside of her "rank and role," but she was still aligned with the US's goals, rather than pursuing her own agenda. Apparently, nearly four decades of service to the US government meant nothing. Spurred on by the Snowden leaks, the FBI had a renewed interest in hunting down potential "threats." This is what moved the investigation from mere metadata to something far more intrusive.

After months of circling the target, FBI supervisors decided it was time to delve deeper. To monitor Raphel’s private conversations with Lodhi and other contacts on Skype, the FBI obtained a warrant from the Foreign Intelligence Surveillance Court—a decision approved at the highest levels of the FBI and the Justice Department.

The FBI used these communications to build a case against Raphel. It still had nothing that showed criminal intent or actually anything resembling wrongdoing. But it did -- with its limited experience in dealing with diplomatic targets -- feel something wasn't quite right. It had lots of "smoke" but no "smoking gun," according to a former FBI official. It dumped a bunch of "smoke" into an affidavit and secured a "sneak and peek" warrant for Raphel's home. After an extensive search, it managed to locate a 20-year-old file related to Raphel's "Diplomatic Security" investigation. Something of little consequence to anyone -- especially this far removed from its originating date -- was used to justify the FBI's more intrusive search later, one that resulted in Raphel's electronic devices and computers being seized.

The search also led to perhaps the most incongruous question Raphel had ever been asked.

Two FBI agents approached her, their faces stony. “Do you know any foreigners?” they asked.

Raphel’s jaw dropped. She had served as a diplomat in six capitals on four continents. She had been an ambassador, and the State Department’s assistant secretary for South Asian affairs. Knowing foreigners had been her job.

“Of course,” she responded, “Tons…Hundreds.”

This was followed by more FBI activity that bore the unmistakable imprint of recently-installed director James Comey. The FBI routed its inquiries with the State Department to someone who wouldn't talk to anyone else about its actions. It forbade the State Department from informing Raphel's coworkers why she wouldn't be returning to work while simultaneously leaking news of the investigation to the New York Times.

The FBI finally began talking to other State Department officials and employees, most of whom felt they had to explain how diplomacy actually worked. They didn't like what they saw in the FBI's "mole-hunting" effort.

At times, Raphel’s colleagues pushed back—warning the FBI that their investigation risked “criminalizing diplomacy,” according to a former official who was briefed on the interviews.

The interviews undercut the FBI's narrative, but it did nothing to slow the agency's roll towards an indictment. The DOJ, however, seemed less sure of the merits of a prosecution. But it also did little to head the FBI off. Meanwhile, Raphel not only lost her career but also her life savings.

Raphel heard nothing for months from the FBI. She had already spent about $100,000 on legal fees, which she paid by tapping into her savings, but the bills were piling up. Jones set up a legal-defense fund and 103 of Raphel’s friends and colleagues, mostly from the State Department, donated nearly $122,000.

The 20-year-old document on which the prosecution hinged could very well have been declassified while the government pursued a conviction, leaving it with nothing but thousands of taxpayer dollars spent and the embarrassment of being unable to determine the difference between diplomatic activity in volatile outposts from actual espionage.

The charges were finally dropped in March of this year. To date, Raphel's security clearance is still revoked and her career as a diplomat is effectively over. This is what "just metadata" -- along with a newfound enthusiasm for hunting down "insider threats" -- can do to a person who spent nearly 40 years serving their country.

Curious about where the agency got that oddly specific number from -- and with plenty of time on his hands -- Shawn filed a follow-up request for any documentation outlining State's methodology for estimating FOIA completion dates. This is on August 5th, 2013, and he gets an acknowledgement back August 8th, just three days later.

Don't get used to that kind of timeliness.

Two months later, he's given his first ECD for this request -- December 2013.

Only a few months of processing, perfectly reasonable for operational manuals that FOIA officers should have easily accessible.

Except apparently not, because come December, he's given a new ECD -- May 2014.

Well, okay, we should cut them some slack -- as they said, there are extenuating factors, and if they feel they need another five months, that shouldn't be too big of a deal, so long as they-

Oh, you've got to be kidding.

December 2014. A full year since the initial filing. Alright, not great, but how much longer could it take, really?

Oh, come on! Now you're just being ridiculous, State -- the original ECD for the Thatcher docs was February 2015. How could this be a month harder to process than that? Why not just go ahead and take the rest of the year if you're feeling swamped.

Wait, no, it was a joke, don't-

Nooooooo. Why are you doing this? Are you just messing with us?

You are just messing us, aren't you!

Come on, that's not even a date!

Alright, that's better.

Wait, no it's not, that's actually much worse -- how could you possibly need until June? You finally released the Thatcher docs that started this whole mess in May!

... Are we dead? Is this Hell?

Noooooooooooooo

It's October 2016. Shawn Musgrave is a sadder and a wiser man. And we are still waiting for the State Department to tell us how long it takes to process its FOIA requests.

from the good-luck-with-that dept

It would appear that Congress is not so happy that the State Department is a major funding source for the Tor project. Tor, of course, is the internet anonymyzing system that was originally developed with support from the US government as a way to promote free and safe access to the internet for people around the globe (mostly focusing on those under threat in authoritarian countries). Of course, other parts of our government aren't huge fans of Tor, because it doesn't just help activists and dissidents in other countries avoid detection, but also, well, just about anyone (except on days when the FBI decides to hack their way in).

There has, of course, always been some tension there. There are always the conspiracy theorists who believe that because Tor receives US government funding it is by default compromised. Those tend to be tinfoil hat wearing types, though. The folks who work on Tor are not exactly recognized for being particularly friendly to intrusive government surveillance. They tend to be the exact opposite of that. And, of course, part of the Snowden revelations revealed that Tor was one tool that still stymied the NSA in most cases.

But it appears that Congress may be quietly trying to undermine this. On Friday, Politico had a tiny blurb in passing about how the latest State Department appropriations bill making its way through Congress includes some references to stopping "circumvention technologies" from being used by bad people. The Politico report suggests this is designed to apply more broadly to encryption, but reading the specifics it appears to be targeted straight at Tor. Here's the Senate report on the appropriations, where it discusses funding related to "internet freedom."

That, of course, was the reasoning behind Tor in the first place, but here Congress is now trying to put some limitations on what the State Dept. can do with its funds, including demanding that it seek out ways to stop bad guys from using technology like Tor. In the report, it's described this way:

...the Committee requires that spend plans submitted
by the Department of State and BBG pursuant to section
7078(c) of the act include a description of safeguards to ensure that
circumvention technologies are not used for illicit purposes, such as
coordinating terrorist activities or online sexual exploitation of children.

In the full bill, the key section notes that the funding shall only be available for internet freedom after efforts are made to stop bad people from using the tools.

... made available for the research and
development of new tools or techniques authorized in paragraph (A) only after the BBG CEO,
in consultation with the Secretary of State and
other relevant United States Government departments and agencies, evaluates the risks and
benefits of such new tools or techniques, and
establishes safeguards to minimize the use of
such new tools or techniques for illicit purposes.

In case you're wondering, the "BBG CEO" is the CEO of the Broadcasting Board of Governors, the US government agency that manages media efforts around the globe, such as the Voice of America.

Make no mistake, this appears to be an attempt to sneak in an attack on Tor via Congress into the State Dept. Tor has been developed to provide the best absolute anonymity/privacy tools for people using the internet -- with the acknowledgement that it can be misused, because the people developing it recognize that the best way to protect the vast majority of its users is to build a system that is truly secure -- not one that artificially tries to limit its uses. Hopefully, this provision is changed, or else it may be eventually leveraged as a way to attack Tor, to attack Tor's funding and try to get the State Department to stop supporting such useful projects.

from the not-even-the-sting-of-a-wrist-slap dept

FBI Director James Comey just held a press conference detailing the FBI's findings during its investigation of Hillary Clinton's use of a private email server. The findings are irrefutably ugly.

The FBI, "painstakingly" reassembling emails scattered to the digital wind by device abandonment, multiple server upgrades, lawyers' brute-force attempts to separate personal emails from work-related emails, and a general lack of professionalism across the board, found that Clinton's private email server contained :

110 classified emails in 52 chains

8 top secret emails

36 "secret" emails

8 "confidential" emails

All were clearly designated as such at the time sent or received. Additionally, another 2,000 emails had been "up-classified" to confidential after being sent or received.

It also found several work-related emails Clinton's staff did not include with the 30,000 handed over to the State Department for release to FOIA requesters.

There was no built-in archival function in Clinton's private server setup, a basic feature considered essential by professionals. This slowed the FBI's investigation as it was forced to reconstruct emails from the digital detritus left behind by "routine purging" and device deactivation.

As noted above, Clinton's lawyers made several efforts to delete "personal" emails, but they did so by using searches and header info, rather than actually reading the emails' content. The FBI did read the content of what it could recover, finding it likely that some work-related emails vanished during these purges. It also discovered Clinton hired some smart lawyers: "lawyers cleaned their devices in such a way as to preclude complete forensic recovery."

But at the end of it all, the FBI found Clinton's use of private email server to be severely stupid, rather than criminal. Comey says the FBI found no signs of "intentional misconduct" by lawyers during personal email deletions or routine purges. Likewise, there was "no clear evidence of intentional misconduct by staffers," but Clinton's emails were "clearly mishandled."

The FBI's final conclusion is damning, but only in terms of harsh words, not actual punishment. Clinton and her staff "knew or should have known" a private email server was "no way to properly handle classified email" -- especially when housed on private server with "no full-time staff" or anything approaching the level of service one would equate with email services like Gmail. Comey also noted that Clinton used her personal domain "extensively" outside of the US, needlessly exposing sensitive information in the "presence of hostile actors."

James Comey also took a little time to bash her agency, stating that the FBI found the "security culture" of the State Department to be "lacking."

But for anyone who was hoping this would result in criminal charges, the FBI has nothing in the way of good news. Comey says it's not the FBI's call to pursue prosecution, but stated that "no reasonable prosecutor would bring such a case" against Clinton, despite her repeated careless handling of sensitive info via her barely-competent private email service.

Final call, according to Comey: Clinton, staffers may be subject to security or administrative sanctions, but "no [criminal] charges are appropriate" in this case.

Clinton walks. The FBI has determined there was no malice in her actions. Being stupid and dishonest is no crime, at least not as far as the FBI is willing to push it. The DOJ has the final call, but it's highly unlikely it will override the FBI's recommendation. The decision is one that people in Clinton's position are far more likely to receive. Others lower on the political ladder -- or, god forbid, just average voting Americans -- are far less likely to receive this much deference from the nation's top prosecutors.

The emails, reviewed by The Associated Press, show that State Department technical staff disabled software on their systems intended to block phishing emails that could deliver dangerous viruses. They were trying urgently to resolve delivery problems with emails sent from Clinton's private server.

"This should trump all other activities," a senior technical official, Ken LaVolpe, told IT employees in a Dec. 17, 2010, email. Another senior State Department official, Thomas W. Lawrence, wrote days later in an email that deputy chief of staff Huma Abedin personally was asking for an update about the repairs. Abedin and Clinton, who both used Clinton's private server, had complained that emails each sent to State Department employees were not being reliably received.

After technical staffers turned off some security features, Lawrence cautioned in an email, "We view this as a Band-Aid and fear it's not 100 percent fully effective."

While trial-and-error is generally useful when solving connection problems, the implication is undeniable: to make Clinton's private, insecure email server connect with the State Department's, it had to -- at least temporarily -- lower itself to Clinton's security level. The other workaround -- USE A DAMN STATE DEPARTMENT EMAIL ADDRESS -- was seriously discussed.

This latest stack of emails also exposed other interesting things... like the fact that Clinton's private email server was attacked multiple times in one day, resulting in staffers taking it offline in an attempt to prevent a breach. (h/t Pwn All The Things)

In addition to the security issues, there's also some discussion about why Clinton was choosing to use her own server.

In one email, the State Department's IT person explains the agency already has an email address set up for Clinton, but offers to delete anything contained in it -- and points out that using the State Dept. address would make future emails subject to FOIA requests.

[W]e actually have an account previously set up: SSHRC@state.gov. There are some old emails but none since Jan '11 -- we could get rid of them.

You should be aware that any email would go through the Department's infrastructure and subject to FOIA searches.

So, there's one reason Clinton would have opted to use a personal email address and server. More confirmation of the rationale behind this decision appears in an earlier email (2010) from Clinton to her aide, Huma Abedin.

Abedin: We should talk about putting you on state email or releasing your email to the department so you are not going to spam.

Clinton: Let's get separate address or device but I don't want any risk of the personal being accessible.

There appears to be some intent to dodge FOIA requests -- either by ensuring "no documents found" when Clinton's State Department email address was searched, or by being able to control any release by being the chokepoint for responsive documents.

To accomplish this, Clinton's team set up a private email server that was insecure and did not follow State Department guidelines. In fact, her team brushed off the agency more than once before finally informing it that they simply would not comply with State Department regulations.

In a blistering audit released last month, the State Department's inspector general concluded that Clinton and her team ignored clear internal guidance that her email setup broke federal standards and could leave sensitive material vulnerable to hackers. Her aides twice brushed aside concerns, in one case telling technical staff "the matter was not to be discussed further," the report said.

The FBI investigation that Clinton refuses to call an investigation continues. There may be no criminal charges forthcoming, but there's already plenty of evidence that Clinton's use of a private email server was not only dangerously insecure, but put into place in hopes of limiting her accountability.